topic Re: 871 router, EZvpn and VoIP QOS in Network Security

871 router, EZvpn and VoIP QOS

jkeeffe — Fri, 21 Feb 2020 09:18:50 GMT

We're deploying 871 routers to remote teleusers who will also have an IP phone, and a cable modem to connect them to the Internet. We will be configuring IPsec VPNs for their connectivity back to our corporate site to a 3030 concentrator.

Are we able to use the 871 EZvpn client config and still use QOS for voice, or must we configure the 871 the normal lan-to-lan way?

Using EZvpn I don't see how to add the "qos pre-classify" which is necessary to prioritize voice once it has been wrapped in an IPsec header?

Am I correct is thinking that we cannot use EZvpn?

Re: 871 router, EZvpn and VoIP QOS

hadbihas — Mon, 20 Nov 2006 18:15:04 GMT

You should be able to use EZvpn along with QOS for VoIP... I have been using it for a while and works just fine. Here is sample config: This is a 12.4.9T IOS, so pay attention to the "DNS view"... it gets downloaded from the 3030 but I still modify it to use the router itself as a DNS forwarder (or you can also use split DNS):

crypto isakmp enable

crypto isakmp xauth timeout 60

crypto ipsec client ezvpn EZVPNClient

connect auto

group [*VPNGROUPNAME1*] key 0 [*VPNGROUPPASSWORD1*]

mode network-extension

peer [*VPNPEERIPADDRESS1*] default

peer [*VPNPEERIPADDRESS2*]

xauth userid mode interactive

ip dns view ezvpn-internal-view

logging

domain list ******.****.com

domain name-server [*NAMESERVER1*]

domain name-server [*NAMESERVER2*]

domain name-server interface Loopback1

dns forwarding source-interface Loopback1

ip dns view-list ezvpn-internal-view

view ezvpn-internal-view 1

ip host my-router 192.168.1.254

ip host view ezvpn-internal-view my-router 192.168.1.254

ip domain list ****.*****.com

ip name-server [*NAMESERVER1*] [*NAMESERVER2*]

ip domain lookup source-interface Loopback1

ip dhcp pool Local

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 192.168.1.254

option 150 ip ***.***.***.****

lease 0 0 3

class-map match-all VOIP-SIG

match ip dscp af31

class-map match-all VOIP-RTP

match ip dscp ef

policy-map QOS-POLICY

class VOIP-RTP

priority 30

class VOIP-SIG

bandwidth 8

class class-default

fair-queue

interface Loopback1

ip address [*10.XXX.XXX.254*] 255.255.255.0

crypto ipsec client ezvpn EZVPNClient inside

interface FastEthernet0

no cdp enable

no shutdown

interface FastEthernet1

no cdp enable

no shutdown

interface FastEthernet2

no cdp enable

no shutdown

interface FastEthernet3

no cdp enable

no shutdown

interface FastEthernet4

ip address dhcp

crypto ipsec client ezvpn EZVPNClient

no ip redirects

no ip proxy-arp

no ip directed-broadcast

service-policy output QOS-POLICY

duplex auto

speed auto

no cdp enable

duplex auto

speed auto

no cdp enable

interface Vlan1

ip address 192.168.1.254 255.255.255.0

ip dns view-group ezvpn-internal-view

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no ip mroute-cache

no cdp enable

ip nat inside source static network 192.168.1.0 [*10.XXX.XXX.0*] /24 extendable

ip route 0.0.0.0 0.0.0.0 dhcp

Ihab

Re: 871 router, EZvpn and VoIP QOS

jkeeffe — Fri, 01 Dec 2006 03:40:12 GMT

Thanks - this really helps. Would you explain the dns view statements? You're right the 3030 pushed down two of these statements, both of which are the same except one ends with a '\'.

Also I notice that you don't do any traffic shaping. Have you not found a need to do that?

Re: 871 router, EZvpn and VoIP QOS

Andrii Oliinyk — Mon, 27 Oct 2008 10:48:08 GMT

AFAIK U dont need qos pre-classify feature while U just prioritize voice as ToS's IP precedence works well being copied to the outer ToS field in tunnel mode. Just ensure U use tunnel mode.